LABORATORY REPORT

CYBER FORENSICS
MS (Cyber Law and Information Security)
(2013-2015)

Submitted By:
BHANU VRAT (IMS2013054)
NIKHIL AGARWAL (IMS2013055)

Indian Institute of Information Technology, Allahabad

TABLE OF CONTENTS

S.N
o
1.
2
2.

Topic
SMMP Matrix
Mapping of Greg Schards Hacking
case with Forensics Chart
Solving Greg Schards Hacking
case

Page No
..
..

3
5

..

2 | Page

ASSIGNMENT NO: 1
Objective: Analyse a cyber crime case study and create a SMMP Matrix table
for it.
Case Study:
The complainant filed a case of fraud and cheating alleging theft and sale of proprietary data.
The complainant had a subsidiary company in the United States which did business with its
US partner. The US partner provided mortgage loans to US residents for residential premises.
The business of the complainant was providing leads to their US partner. The data included
the details of the loan seekers along with their telephone numbers. The complainant generated
leads through arrangements with call centres in India who called from their database and
shortlisted home owners who were interested in availing refinance facility on their existing
mortgage loans.
Investigation
Preliminary investigations revealed that the accused was holding the post of the senior
programme manager and was the team leader for data management. During employment the
accused along with his father had opened a partnership firm. It was found that raw data was
sent as attachments from the e-mail ID of this (accused) firm's Website domain. The Website
was traced and the e-mail ID address and registration details were recovered by the
investigating officer using specialised software. It was revealed that the accused had passed
data bought by and belonging to the complainant firm to various call centres (as if the same
belonged to his firm), to make the calls on their behalf for generating leads.
The entire business process of the complainant firm was studied and a systems analysis was
conducted to establish the possible source of data theft. The accused had opened a foreign
currency account in the name of his firm. An analysis of the printout revealed that payments
had been made to two call centres. The call centres were contacted and the raw data sent as
attachments were collected. The data was comprised of six separate files and it was compared
with the data purchased by the complainant company in the US. This was done by writing
and executing SQL queries.
Analysis of the e-mail headers of the mails sent by the accused through his ID were carried
out. The originating IP address was found and information was obtained from VSNL.
Accordingly it was found that the range of IP was allotted to the complainant company. It was
thus established that the accused has sent the stolen data from the office of the complainant
company using the e-mail ID of his (accused) firm.
An analysis of the bank account of the accused showed that payments were being made to
two people. It was found that they were also ex-employees of the complainant company who
had resigned after the accused left the company. On interrogation he revealed that he had
roped in two of his colleagues who actively assisted him in his clandestine activities. One of
3 | Page

them, while still an employee of the complainant company, coordinated with various call
centres on behalf of the accused. The other facilitated the installation of proprietary
sequencing software in the personal computer of the accused. In order to have a clientele base
in US, the accused had sought the assistance of one more person. The two accused were
arrested.

SMMP Matrix:
SCENARIO

The complainant filed a case of fraud and

cheating alleging theft and sale of proprietary
data. The complainant had a subsidiary
company in the United States which did
business with its US partner. The US partner
provided mortgage loans to US residents for
residential premises. The business of the
complainant was providing leads to their US
partner. The data included the details of the
loan seekers along with their telephone
numbers. The complainant generated leads
through arrangements with call centres in
India who called from their database and
shortlisted home owners who were interested
in availing refinance facility on their existing
mortgage loans.

MOTIVATI
ON

MAPPING
WITH IT ACT

Financial
Gain

IT ACT Sec
43(j), Sec 72,
Sec72A

POTENTIA
L SOURCE
OF
EVIDENCE
E-mail
header
information

4 | Page

ASSIGNMENT NO: 2
Objective: Map the Greg Schardt hacking case with forensic chart give
below:Mapping:S.No
.

Question

Mapping
5 | Page

1. What is the image hash? Does the acquisition and

verification hash match?

2.

3.

4.

5.

6.

7.

What operating system was used on the computer?

PREPARATION /
EXTRACTION
(Extract data requested)

When was the install date?

PREPARATION /
EXTRACTION
(Extract data requested)

What is the timezone settings?

PREPARATION /
EXTRACTION
(Extract data requested)

Who is the registered owner?

PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)

What is the computer account name?

PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)

What is the primary domain name?

PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)

8. When was the last recorded computer shutdown

date/time?

9.

PREPARATION /
EXTRACTION
(Duplicate and verify
integrity of Forensic Data?)

How many accounts are recorded (total number)?

10. What is the account name of the user who mostly

uses the computer?

PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)
IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
6 | Page

List)
11.

Who was the last user to logon to the computer?

A search for the name of Greg Schardt reveals

multiple hits. One of these proves that Greg Schardt
12.
is Mr. Evil and is also the administrator of this
computer. What file is it? What software program
does this file relate to?

13.

List the network cards used by this computer

IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)
ANALYSIS
(Associated Artifacts and
Metadata)
PREPARATION /
EXTRACTION
(Add Extracted data to
Prepared /Extracted Data
List)

14. This same file reports the IP address and MAC

address of the computer. What are they?

IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)

An internet search for vendor name/model of NIC

cards by MAC address can be used to find out which
15. network interface was used. In the above answer, the
first 3 hex characters of the MAC address report the
vendor of the card. Which NIC card was used during
the installation and set-up for LOOK@LAN?

IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)

16. Find 6 installed programs that may be used for

hacking.

IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)

17.

What is the SMTP email address for Mr. Evil?

ANALYSIS
(Who/What)

18. What are the NNTP (news server) settings for Mr.
Evil?

ANALYSIS
(Who/What)

19.

What two installed programs show this information?

ANALYSIS
(Who/What)

List 5 newsgroups that Mr. Evil has subscribed to?

ANALYSIS
(Associated Artifacts and
Metadata)

20.

21. A popular IRC (Internet Relay Chat) program called

MIRC was installed. What are the user settings that

ANALYSIS
(Other Connections)
7 | Page

was shown when the user was online and in a chat

channel?
22.

This IRC program has the capability to log chat

sessions. List 3 IRC channels that the user of this
computer accessed.

ANALYSIS
(Associated Artifacts and
Metadata)

Ethereal, a popular sniffing program that can be

used to intercept wired and wireless internet packets
was also found to be installed. When TCP packets
23.
are collected and re-assembled, the default save
directory is that users \My Documents directory.
What is the name of the file that contains the
intercepted data?

ANALYSIS
(Who/What)

Viewing the file in a text format reveals much

information about who and what was intercepted.
24.
What type of wireless computer was the victim
(person who had his internet surfing recorded)
using?

IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)

25.

What websites was the victim accessing?

ANALYSIS
(Who/What)

26. Search for the main users web based email address.
What is it?

ANALYSIS
(Who/What)

27. Yahoo mail, a popular web based email service,

saves copies of the email under what file name?

IDENTIFICATION
(Data relevant to the forensic
request- > Relevant Data
List)

28.
29.

How many executable files are in the recycle bin?

ANALYSIS
(Where)

Are these files really deleted?

ANALYSIS
(Who/What)

30. How many files are actually reported to be deleted

by the file system?

ANALYSIS
(How)

31. Perform an Anti-Virus check. Are there any viruses

on the computer?

ANALYSIS
(Associated Artifacts and
Metadata)

8 | Page

ASSIGNMENT NO: 3
Objective: Solve the Greg Schardt hacking case using Encase V4
Scenario:
On 09/20/04, a Dell CPi notebook computer, serial # VLQLW, was found abandoned along
with a wireless PCMCIA card and an external homemade 802.11b antennae. It is suspected
that this computer was used for hacking purposes, although cannot be tied to a hacking
suspect, Greg Schardt. Schardt also goes by the online nickname of Mr. Evil and some of
his associates have said that he would park his vehicle within range of Wireless Access Points
(like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic,
attempting to get credit card numbers, usernames & passwords.
Find any hacking software, evidence of their use, and any data that might have been
generated. Attempt to tie the computer to the suspect, Greg Schardt.

Questions:Q1. What is the image hash? Does the acquisition and verification hash match?
Soln. AEE4FCD9301C03B3B054623CA261959A .Yes, they match.

9 | Page

Q2: What operating system was used on the computer?

Soln: Microsoft Windows XP
PATH:
C:\WINDOWS\Sysrem32\Config\Software\Microsoft\WindowsNT\CurrentVersion\ProductName

Q3: When was the install date?

Soln: 08/19/04 05:48:27PM
PATH:
C:\WINDOWS\Sysrem32\Config\Software\Microsoft\WindowsNT\CurrentVersion\ InstallDate

10 | P a g e

Q4. What is the timezone settings?

Soln. Central Daylight Time (-05hrs GMT)
PATH: C\WINDOWS\system32\config\system\Control\TimeZoneInformation\DaylightName

Q5. Who is the registered owner?

Soln. Greg Schardt
PATH:
C:\WINDOWS\Sysrem32\Config\Software\Microsoft\WindowsNT\CurrentVersion\RegisteredOwner

11 | P a g e

Q6. What is the computer account name?

Soln. N-1A9ODN6ZXK4LQ
PATH:
C:\WINDOWS\system32\config\software\Microsoft\WindowsNT\CurrentVersion\Winlogon\
DefaultDomainName

Q7. What is the primary domain name?

Soln. Mr. Evil
PATH: C\Program Files\Look@LAN\irunin.ini

12 | P a g e

Q8. When was the last recorded computer shutdown date/time?

Soln. 2004/08/27-10:46:27
PATH:
C:\WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Prefetcher\ExitTime

Q9. How many accounts are recorded (total number)?

Soln. 5
Administrator
Guest
HelpAssistant
Mr. Evil
SUPPORT_388945a0

PATH:
C\WINDOWS\system32\config\SAM\NTRegistry\ SAM\Domains\Account\Users\Names\

13 | P a g e

Q10. What is the account name of the user who mostly uses the computer?
Soln.
Q11.Who was the last user to logon to the computer?
Soln. Mr. Evil
PATH:
C:\WINDOWS\system32\config\software\Microsoft\WindowsNT\CurrentVersion\Winlogon\
DefaultUserName

14 | P a g e

Q12. A search for the name of Greg Schardt reveals multiple hits. One of these proves that
Greg Schardt is Mr. Evil and is also the administrator of this computer. What file is it? What
software program does this file relate to?
Soln. PATH: C:\Program Files\Look@LAN\irunin.ini
Look@LAN

Q13. List the network cards used by this computer?

Soln. Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)
Compaq WL110 Wireless LAN PC Card
PATH: C\WINDOWS\system32\config\software\NTRegistry\$$
$PROTO.HIV\Microsoft\Windows NT\CurrentVersion\NetworkCards\

15 | P a g e

Q14. This same file reports the IP address and MAC address of the computer. What are they?

16 | P a g e

Soln. 192.168.1.111
0010a4933e09

Q15. An internet search for vendor name/model of NIC cards by MAC address can be used
to find out which network interface was used. In the above answer, the first 3 hex characters
of the MAC address report the vendor of the card. Which NIC card was used during the
installation and set-up for LOOK@LAN?
Soln. Xircom

17 | P a g e